SCCM and Bitlocker TPM Real Life

Read hear more     Allright, I felt for blogging some more about getting TPM Activated on Dell, HP and Lenovo.
To get the Bitlocker in action.

Common Steps I use:

  1. DC – Prepare Active Directory
  2. SCCM – Prepare a 350MB Bitlocker partition in TS
  3. SCCM – Update BIOS
  4. SCCM – Reboot
  5. SCCM – Enable/Activate TPM and Set BootSequence
  6. SCCM – Reboot
  7. SCCM – Enable Bitlocker and place it as the last step in the TS
  8. SCCM – Add Disable Bitlocker on the Top of the TS
  9. SCCM – Use DCM in 2007 or Settings Management in 2012 to monitor that you Clients are secured with Bitlocker.

The tricky part is the step 4, each vendor has its own way of turning on features in BIOS. And as this is a Security Device, you may have trouble setting this configuration if it has a Admin passord etc. and you may Lock Your self out. Ohh and yes, the BIOS Update can be a bit tricky too, Ive blogged about that before.
With Configmgr 2012 SP1 you can add Preprovision Bitlocker step to Your Task Sequence that will start encryption of the disk right before applying the Image step.
This way it will almost be Complete when finished the OSD. And without very little overhead.
Cool feature!
1. Do the required steps to prepare you Active Directory first and Set Group Policys.
Then before you add the Enable Bitlocker step in the SCCM Task Sequence, you need to get the TPM chip activated on the Client computers prior to this step.
So here we go.
It’s all very easy when you know how, right πŸ™‚
You can test the command lines manually, but remember to run the cmd as Administrator. Dell
You need to get Your hands on the Dell CCTK:
The latest version of CCTK is 2.1.
The CCTK, gives you ability to turn on TPM chip, set password, BIOS setting etc..
You can eiter inject it to the Boot image, or just use it like a Application package, and run commands.
The second option is the easyest.
Dell TPM Bios – SCCM Task Sequence example Remember the checkbox Disable 64-bit file system redirection on the 64bit TaskSequence step. HP
The REPSET file is the clue here..
First, Download the utility needed:
You need to create a TPMEnable.REPSET file.
This is what I’ve created: It’s listed in txt here:
Reset of TPM from OS
OS Management of TPM
Activate Embedded Security On Next Boot
Embedded Security Device Availability
Embedded Security Activation Policy
F1 to Boot
Allow user to reject
*No prompts
Power-On Authentication Support
Password Minimum Length
At least one symbol required
At least one number required
At least one upper case character required
At least one lower case character required
HP SpareKey
Always Prompt for HP SpareKey Enrollment
Are spaces allowed in password
Boot Order
Hard Drive(C:)
Network Controller
Now for the SCCM The Command line is:
BiosConfigUtility.exe /setConfig:TPMEnable.REPSET /NewAdminPassword:Nicolai1!
Yes, HP you have to set a Admin password, just like Dell.
But what if you already have a Password?
Then Run this:
BiosConfigUtility.exe /setconfig:TPMEnable.REPSET /cspwd:”Passord” /nspwd:”Passord”

Its very often smart to do some testing of the commands manually if its not working for you as expected: Now, this is the status you want in the TPM Management in Windows:
The computer is now ready for the Enable Bitlocker step in the Task Sequence. Lenovo
Lenovo made it very easy actually. It’s all about WMI. πŸ™‚
Download the Script and put it in a Package.
Sample Scripts for BIOS Deployment Guide
BIOS Setup using Windows Management Instrumentation Deployment Guide – English
But, somehow Lenovo made different names in the BIOS for enableing TPM depending on if its a Laptop or Desktop.     SecurityChip and TCG
So the command for:
Cscript.exe SetConfig.vbs SecurityChip Active
Cscript.exe SetConfig.vbs “TCG Security Feature” Active
You can list the Bios settings with this command:
cscript.exe ListAll.vbs
Set the Boot Order to HDD first.
Because the way TPM secures the encryption keys is by ensuring that the way your system boots up or starts is always the same as it was at the time you enabled BitLocker.  This means if you are encrypting your system drive (C:) it is important that you set the boot order so that the Hard Drive is always first.
It therefore important that the boot order is not changed after Bitlocker is enabled.
If you need to do changes, like BIOS Update etc.. Pause/Disable the Bitlocker in Windows.
And if you just want BitLocker on Laptops, its easy to do it With Task Sequence Variable and MDT Toolkit. The variable is then IsLaptop Equals True.

8. SCCM – Add Disable Bitlocker on the Top of the Task Sequence
To be able to refresh a Computer you need to turn off Bitlocker on the Partition C:
This is done very simple by adding Disable Bitlocker on Top of Your Task Sequence:
With the Task Sequence Variable:_SMSTSinWinPE Equals “false”
Because you only want to run the step when not in WinPE mode. 9. SCCM – Use DCM in 2007 or Settings Management in 2012 to monitor that you Clients are secured with Bitlocker.
Setting up Settings Management in SCCM 2012
Name it Bitlocker Active
Namespace:  RootCIMV2SecurityMicrosoftVolumeEncryption
Class:  Win32_EncryptableVolume
Property:  DriveLetter

  • On the Compliance Rules
  • Operator:  Equals
  • Value:  C:
  • Severity:  Critical
  • Monitoring … where to look?… View also Lars Vegar Halvorsen’s blogpost about TPM.
    It’s not always the TPM chip is not activated or the password is not set.
    What happens then is the script/TS step fail.
    He has written a PowerShell script to help you with this logic.

    Leave a Comment